Posted
by
Soulskillon Friday July 09, 2010 @05:42PM
from the now-looking-for-a-torrent-tracker dept.

tsu doh nimh writes "A group of hackers from Argentina recently broke into the database for thepiratebay.org, the Internet's largest torrent search engine, exposing user names, Internet addresses, and (MD5) hashed password data on more than 4 million users, according to Brian Krebs. He interviewed the leader of the group, Ch Russo, who said they briefly considered what the information would be worth to the RIAA and MPAA before going public with the breach. From the story: 'Probably these groups would be very interested in this information, but we are not [trying] to sell it,' Russo said. 'Instead we wanted to tell people that their information may not be so well protected.'"

Part of Krebs's story is that he joined TPB's IRC channel in order to bring the issue to the mods' attention. He says he was taunted by mods who didn't believe he was a journalist or that he actually had anything, and then was kicked/banned after he posted the md5 sums for some administrative passwords. In this manner he makes the channel mods look like immature jerks, but I talked to the mod that actually kicked him not long after the story broke. Evidently the guy was typing like an idiot (multiple messages per sentence) and acting in a rather unprofessional manner. Too, the kick was not because of the hashes, which he posted over half an hour before the kick. I just want people to know the other side of the story.

Oh, and for the record, this leak isn't as big a deal as some might think. IP addresses can be gathered from the swarms themselves, email addresses used by TPB users should hopefully be throwaway addresses, and torrent hashes are inconsequential. Login details might be a problem for Trusted/VIP/staff accounts, but any serious users are not that concerned about this and would have changed their passwords/emails by now.

What makes this valuable (as opposed to trawling the torrent connections themselves) is the centralized nature: It's already collected. This makes data analysis on it much easier, since prospective users wouldn't need to gather the information themselves.

When has doing things that are illegal stopped the RIAA before? DoS attacks and so on seem to be their modus operandi. Anyway, inadmissible in court isn't always a limitation. If they can use this to identify the big uploaders, they can then probably legally obtain enough evidence for a conviction.

False. Evidence does not become inadmissible in Sweden just because they were illegally obtained.

In the US (just for the record) it is only supposed to become inadmissible when illegally obtained by police. We actually have a whole constitutional amendment for it. Unfortunately, it has been overturned in court, no joke. Cops can now use evidence obtained illegally or in an illegal arrest against the citizenry. A citation should be easy to find but I'm on my slowest netbook.

TPB could even sue for that

False. Hacking a site would be a criminal offense. Suing would be a civil matter. TPB could report it to the police who could than proceed with an investigation.

And if they can show some sort of damages, can't they then sue for them?

In the U.S., evidence obtained illegally by NON-law-enforcement IS allowed in court, and has been used numerous times even in criminal cases. Many drug cases hinge on illegally-obtained evidence from snitches, who can snoop where the cops can't. Snitch snoops your property, tells the cops, "Hey officer, if you search that shed, you'll find drugs and stuff"; cops then proceed to get a warrant for a search, with the "probable cause" being info from the snitch's illegal snooping (trespassing).

In this manner he makes the channel mods look like immature jerks, but I talked to the mod that actually kicked him not long after the story broke. Evidently the guy was typing like an idiot (multiple messages per sentence) and acting in a rather unprofessional manner.

The mods banned the guy who has all their user data because he hit Enter too much. Not sure how that supports your premise?

Still childish. There's that weird, unmentionable power component that seems to come into play for computer geeks/nerds whenever hacking/cracking comes into view. Makes people act like idiots becuase they feel threathened. Also, penetrating a system gives you a high like you wouldn't believe - the hacker could have been acting irrationally because of this euphoria. Some people become addicted to this.

email addresses used by TPB users should hopefully be throwaway addresses,

They make it difficult - for example they have banned mailinator addresses, despite themselves once offering a similar (but now defunct) service. As mailinator's admin goes to great lengths (as detailed on his blog) to stop automated use of mailinator addresses, the only reason to block mailinator is to force TPB users into more traceable mail services.

Because it's professional to kick someone who is telling you about a security breach in your product because you don't like the way that they type.

Are you saying that they should have taken him at his word, right off the bat, that he's a serious journalist? If someone walked up to you on the street in a fancy business suit but started speaking Pig Latin, would you take them seriously?

One solution is to have people enter their e-mail address when they want to change their password. If the MD5 or SHA1 has of the entered address matches the hash of the e-mail address on file, then send out the e-mail. If it does not, then that's not the right person. Then you don't need the actual address on file at all.

Because it's professional to kick someone... because you don't like the way that they type

I haven't used IRC in a while but I don't ever remember it being very professional, and yes, anything the channel ops don't like gets you kicked (at least in the channels I used to hang out in). The fact that they gave him 30 minutes before kicking him from the channel is probably as professional as you can get.

He was typing weirdly, posting password hashes to main...he could be an RIAA agent in disguise, just some cr

C'mon guys...don't register your info with pirate bay. That's just stupid. It was only a matter of time. Just be glad it came from a hacker group and not the courts. Use these services anonymously until the legal crap is sorted out.

And passwords. Better hope nobody on TPB re-uses the same password for every website (hint: lots of people do). And before you tell me they're MD5 hashed, take a walk over to antichat and take a look at the people reversing hashes using high end video cards there. These guys don't give a crap about hashing anymore.

So here's a question. Who else has gotten into PirateBay's servers and NOT told them about it?

I'd think that an organization like PirateBay would be the very last people on Earth whom you'd want to give any sort of personally-identifiable information. I guess we can put this one into the "Darwin Filter" category.

side question: how many accounts are from president@whitehouse,gov, 1600 Pennsylvania Avenue NW, Washington DC 20050 USA?

There was this thing I read a few years ago, and never seemed to be mentioned again, that the TPB operators found that someone had logged into the TPB admin system - from an IP range assigned to the FRA (Swedish signals and computer espionage unit). It was quite surreal, because I also seem to remember the FRA specifically denying that anyone there was an OP at TPB. Or maybe I dreamt the whole thing?

1 - If they accept stolen information anything they do with it will be tossed out of court and taint any pending or future litigation.2 - Having an account isn't grounds for anything.. I doubt even logs of what you searched for would be.

Crucifying pirates isn't their only function. Their other function is shutting down/sabotaging these networks. Can you imagine the junk/booby traps (mmmm boobies) they could scatter throughout these networks in a few hours USING these stolen credentials? The nuisance value itself is enormous. Don't think that big organizations, simply because they are big, limit themselves to legal means of achieving their ends.

1 - If they accept stolen information anything they do with it will be tossed out of court and taint any pending or future litigation.

It does not work that way in Sweden. The court could take it into consideration ( and probably would ) , but as far as I am aware there's no law which explicitly says evidence is inadmissible if illegally collected. Having said that, if evidence like this was collected illegally it would be simple for the defense to argue that it was unreliable since anybody who is disrespect

Well, the RIAA might find out that millions of people are downloading artistic material that they claim to 'own'. And they would know who.

Would they launch millions of lawsuits against these people? Would they go to the ISP providers and demand that that these millions of people be denied service? And would they offer to compensate the ISPs for the millions of dollars in lost revenue?

Would they put a microchip like an RFID into the brains of each of these millions of people so that if these people ever again tryed to experience an artistic work by an 'artist' that they have downloaded then they would get a splitting headache for a day? You downloaded a Lady Gaga song once long ago to check out what the buzz on her was about and now whenever you see her picture in the mall the RFID chip in your head starts to blast migraines. So you don't ever go to shopping malls anymore and do retail shopping over the web instead? How many millions of people are going to be subjected to this before the mall owners get pissed?

Never forget: the RIAA is based on extortion. They don't care how many millions of people are downloading their product. They select a few people at random and focus their extensive brutal legal teams on these people, making their lives hell until they get paid off. The RIAA copyright 'violations' are just an excuse for extortion. If it wasn't copyright, then it would be something else.

We do have laws against this kind of thing. It's called RICO. It worked against the mafia and it will work against the RIAA.

If you ran a record company, and someone came to you with a list of the songs that people are willing to risk extortion to download and the names of those people, then you would have the perfect marketing tool. You know exactly who wants what in terms of artistic product. All that you don't know is the price that they are willing and able to pay. If they are downloading instead of buying, then the starting price point is too high. It's a negotiation beginning point; not a fucking Interpol crime. These downloaders are your customers, they are your best customers. Cultivate them; don't unleash the dogs of war against them.

I weep that you got modded up +4 insightful for saying that the RIAA is founded on extortion. People are forced to download movies and music are they? These are necessities of life? By that principle, a supermarket is extorting you by making you pay for your groceries.

Even if that is true, not only does it not matter because it was likely a user that posted them and not the site itself, but my point is still valid: we make a distinction between personal data and public data.

Since when does The Pirate Bay have a policy of only distributing "publicly available information?" Pprivate information has been distributed via Pirate Bay before, such as the leaked Half-Life 2 source code or Paris Hilton's hacked cell phone pictures. Why should this information be any different?

If a torrent for the users' info appeared on the site and the admins ignored a community demand to take it down, you bet that community would ditch the site and TPB would die. It's in TPB's best interest to keep user information secret; I do not understand why this is hard to grasp.

If a torrent for the users' info appeared on the site and the admins ignored a community demand to take it down, you bet that community would ditch the site and TPB would die. It's in TPB's best interest to keep user information secret; I do not understand why this is hard to grasp.

Which again would make their actions hypocrisy, especially when they in turn laugh and try to ridicule people who ask them to remove such info from the site.

The case in which someone uploaded autopsy pics of two dead children to the site and they refused to take them down on principle? Yeah, I was asking for something about peoples' personal information. That isn't what I asked about.

>>>Which again would make their actions hypocrisy, especially when they in turn laugh and try to ridicule people who ask them to remove such info from the site.

You have any songs or movies or games recorded to CD, DVD, or hard drive that you never purchased?Then you are hypocrite too, so shut up."Do not criticize your neighbor for the splinter in his eye, when you have a log in your own." - Buddha

I'm not responding to any other point (of the many) that you have posted so far but the one quoted above made me laugh. The "community" in question is merely a group of opportunistic* users who come to TPB for downloading free stuff. I would be less surprised to see satan stepping out of my shower drying his goatee than to see this so-called community take any such organized action against TPB. TPB could kill kittens everyday and post the pics on its home page and it still wouldn't be boycotted =p

The "community" in question is merely a group of opportunistic* users who come to TPB for downloading free stuff.

There is also a decent number of users who are essentially top uploaders (think trusted/VIP users) and that are kinda important to the site. A great deal of them are, for example, active on TPB's forums. If many of them decided to leave TPB, it would be rather detrimental to the overall community. Remember, for BitTorrent (or just about any peer-to-peer network) to work, you need good seeders as

Interesting. I didn't know that. Since I share a wireless connection with no access to the router (for port forwarding setup), I'm unfortunately cut off from the entire torrenting world. Good thing I guess - keeps me honest through no fault of my own;)

By the way, I took back the "TPB is hypocritical" comment in a later post.

He's confusing the quote; "information wants to be free". I think that might have been Doctorow who said that, but the misinterpretation is just as sad. Passwords and logins are NOT public information, otherwise we'd all use no authentication, or the same login and password everywhere, or not care. Content is the info being referenced here; music, films, written works. THOSE are data sets that need to be freed. Why? Why not? I can listen to a song for free on the radio, or video on the free digital w

That phrase is way before Doctorow(he actually dislikes the phrase, see his article "IWTBF considered harmful"). It was first used famously(that I'm aware of) by Stewart Brand in the 1984 Hacker Conference.

I agree with you - in principle. However, if you think the vast majority of TPB users are using it for such noble purposes (pirating things they already own in some form or have paid for otherwise), you're being extraordinarily naive. For that matter, you conveniently left out software, all of which falls squarely in the "not public information" (unless it's free to begin with) and which accounts for a large fraction of traffic on TPB and other torrent sites.

Because it conflates privacy issues with intellectual property issues. There is nothing hypocritical in trying to contain private data but not copyrighted works.

Are you saying The Pirate Bay is mostly used for illegally transferring copyrighted works? I thought TPB admins have always tried to make a point that they're solely allowing people to transfer information and files with each other.

What's inconsistent between those two things? Just because people use TPB for copyrighted works, doesn't mean TPB itself is providing anything more than a matchmaking service between different clients.

Actually, they do interfere with the service, insofar as they remove fake torrents and ban the people who upload them. Why would it be inconceivable for the site to act in its own self-interest, along with the interests of its users, and take down a torrent that included the private information of its users?

Yes, they do. While they say they don't, this was actually one of the major reasons why TPB earlier lost in court, as copyright holders were able to prove that TPB admins monitor and delete the torrents. This put more liability on them.

But we're not talking about whether TPB should censor such a list (though they undoubtedly should), we're talking about whether the haxors should redistribute it in the first place.

So yes, per your point, if they did do this, TPB's complicity in the act of distribution would be minimal, and if they did stomp it out but the haxors were even moderately determined, they could ensure that the list's contents become public knowledge. But this does nothing to address the hypothetical dick-moveness of their endeav

The Pirate Bay no longer operates a torrent tracker. All they offer is a torrent indexing service (this is not necessarily a torrent hosting service, either, thanks to magnet links) that is indifferent to what the users choose to do with it (except for fakes and malware).

Now if the airline were called "Air Cocaine", the analogy would be better. The pirate bay is for pirated movies, music, software. Everyone, certainly including the admins, knows this. It's amazing that the same weasel words and legal foot-shuffling that Slashdot would be up in arms about were this a politician or corporation, is celebrated as a great thing when done by people stealing movies and music.

What the administrators set up the site for and what the users use it for can be different, albeit related, things. This post was pointless- it's undeniable that TPB is mostly used for piracy, but the point that personal data != public data is, again, still valid.

Are you saying The Pirate Bay is mostly used for illegally transferring copyrighted works? I thought TPB admins have always tried to make a point that they're solely allowing people to transfer information and files with each other.

Ah, but if it IS mostly used for illegally transfering copyrighted works, than the host of the file cannot be held liable for the copyrighted work if they are in a country that does not hold up that copyright agreement (and as far as I know ACTA hasn't been passed). So the most the **AA could sue someone for liable damages would then be ~$1. If you ARE going to somehow create the host responsible, than these Argentinians would be liable for the crime of hacking a database, regardless that hacking is legal i

From your perspective, sure. However whats the difference between a private item and a public item?

Many of the things you consider private, you also share with other people, likely because they agree to use that information in a way you agree with. Is that not the exact same as what intellectual property issues come down to... the owner of the information will let you use it, but only if you use it the way they accept.

Funny how its only YOUR information you care about that you want laws for YOUR protecti

Many of the things you consider private, you also share with other people, likely because they agree to use that information in a way you agree with. Is that not the exact same as what intellectual property issues come down to... the owner of the information will let you use it, but only if you use it the way they accept.

No, it's not the exact same. Private information (ie, name, address, medical records, SSN) is meant to be inclusive in that only certain people get to know about it. Copyrighted works, on

I guess they could, and they may give RIAA executives multiple orgasms, but they''ll get shunned in the court of public opinion.

You see, this is why I support whistle blowers. Because despite the claims of national security threats and the ridiculous conflation of government abuse and individual privacy rights, the ultimate judge is the public, and it just so happen that whistle blowers have an excellent record of watching over the best interests of the public.

Why would it be hypocritical of him to complain about you sharing his information? He's not sharing anyone else's unless you know otherwise. It's hypocritical for the pirate bay to condemn people for sharing data though, because they do share other people's data.

There are many actors here contributing to/affected by the action you're calling hypocritical. Let's break it down so it's clear who would be hypocrites and who wouldn't.

(a) the hackers: they did something illegal - distributing this ill-gotten information would be immoral for them (though just a bit funny, but I digress). Whatever they do though, there's nothing hypocritical about it.

(b) TPB: it's their site. They can choose to host the torrent of that information or not. Since they routinely allow torre

Wikileaks: since they routinely host illegally obtained information (and even private information such as emails, memos, etc.) it would be hypocritical of them not to publish because it would go against their stated morality.

Wikileaks do not "host illegally obtained information (and even private information such as emails, memos, etc.)". Wikileaks host illegally obtained information (and even private information such as emails, memos, etc.) that is pertinent to the public good, e.g. evidence that the US mi

Don't be absurd. First you deny that it does so and in the next breath qualify why it does so - your post is a mass of contradictions. I'm perfectly aware of why Wikileaks does what it does. One might argue that exposing a bunch of thieves is also "pertinent to the public good" - you know, the part of the public that does not indulge in such actions. I imagine the F/OSS community would also want filesharing to be permanently decoupled in the public perception from petty thievery. TPB is hardly the bastion o

Don't be absurd. First you deny that it does so and in the next breath qualify why it does so - your post is a mass of contradictions

What? I said 'wikileaks don't do x, they do x to a particular subset of people'. It's not hypocritical for them to treat people in the subset differently - it's what they do. Might as well say it's hypocritical for the police to only arrest people who are committing crimes and not target people who aren't - it's what they do. (Okay, bad example given recent police behaviour b

Indeed. I did go a bit overboard making my last point, which was contained in just one sentence: "Outing the users who traffic in the illegal stuff is, I would argue, very much in the public good." I wasn't concerned so much about TPB users abusing the companies than I was about their actions hurting the common good (by helping create an environment where [for example] something like ACTA becomes more likely to pass as a direct result of their actions). In that sense (and only in that sense) did I feel that

See, I knew we were more or less in agreement. I don't know if I'd want culprits released to the public - I'd prefer such things to be handled via normal legal channels. But it could be considered a public good, yes. Definitely showing how much of the Pirate Bay is used for illegal, rather than legal content would be great.

Regarding the extenuated verbiage, no offense (at least to myself, I obviously cannot speak for others) has been caused and, I must emphasize, the clarification, even though itself an

One, TPB isn't a tracker, it's an indexer. Two, you don't have to register for it; you can download torrents without an account. You only need an account for uploading, posting comments, and viewing/downloading porn torrents.

You only need an account for uploading, posting comments, and viewing/downloading porn torrents.

You don't even need that.

Complicated way:All you need to view/download porn torrents is to look at uploaded torrents of some user who has uploaded torrents in the porn section.Pretty easy to find such a user.If you look at uploaded torrents, you'll see "Type" on the left, which will be "Porn > Foo".If you click on it, you can browse that Porn section.